Re: Content Security Policy updates
On 7/23/09 11:25 AM, Bil Corry wrote: > Sid Stamm wrote on 7/23/2009 11:41 AM: >> On 7/23/09 9:36 AM, Bil Corry wrote: >>> And that section conflicts with what is said earlier in the document, >>> specifically: >>> "When multiple instances of the X-Content-SecurityPolicy HTTP header are >>> present in an HTTP response, the intersection of the policies is enforced" >>> vs. >>> "If multiple X-Content-Security-Policy headers are present in the HTTP >>> response, then the first one encountered is used and the rest are >>> discarded." >>> and >>> "Only the first X-Content-Security-Policy Response header received by the >>> user agent will be considered; any additional X-Content-Security-Policy >>> HTTP Response headers in the same response will be ignored." >> Fixed. Multiple header instances cause the policies to be intersected. >> This is more-or-less a replacement for meta tag support, which has been >> dropped. > There's still one sentence about it lingering under "Activation and > Enforcement" that needs to be removed. Thanks for catching this. Fixed. > I think the section labeled "Policy Refinements with a Multiply-Specified > Header" would be more clear if renamed to "Policy Intersection with Multiple > Headers" or something similar. Good call. Done. It's difficult to capture "policy refinements when the X-Content-Security-Policy header appears many times" into a small section header. -Sid ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Content Security Policy updates
Sid Stamm wrote on 7/23/2009 11:41 AM: > On 7/23/09 9:36 AM, Bil Corry wrote: >> And that section conflicts with what is said earlier in the document, >> specifically: >> "When multiple instances of the X-Content-SecurityPolicy HTTP header are >> present in an HTTP response, the intersection of the policies is enforced" >> vs. >> "If multiple X-Content-Security-Policy headers are present in the HTTP >> response, then the first one encountered is used and the rest are discarded." >> and >> "Only the first X-Content-Security-Policy Response header received by the >> user agent will be considered; any additional X-Content-Security-Policy HTTP >> Response headers in the same response will be ignored." > Fixed. Multiple header instances cause the policies to be intersected. > This is more-or-less a replacement for meta tag support, which has been > dropped. There's still one sentence about it lingering under "Activation and Enforcement" that needs to be removed. I think the section labeled "Policy Refinements with a Multiply-Specified Header" would be more clear if renamed to "Policy Intersection with Multiple Headers" or something similar. - Bil ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Content Security Policy updates
On 7/23/09 9:36 AM, Bil Corry wrote: > Under "Policy Refinements with a Multiply-Specified Header" there is a > misspelling of "X-Content-SecurityPolicy". Fixed. > And that section conflicts with what is said earlier in the document, > specifically: > "When multiple instances of the X-Content-SecurityPolicy HTTP header are > present in an HTTP response, the intersection of the policies is enforced" > vs. > "If multiple X-Content-Security-Policy headers are present in the HTTP > response, then the first one encountered is used and the rest are discarded." > and > "Only the first X-Content-Security-Policy Response header received by the > user agent will be considered; any additional X-Content-Security-Policy HTTP > Response headers in the same response will be ignored." Fixed. Multiple header instances cause the policies to be intersected. This is more-or-less a replacement for meta tag support, which has been dropped. Thanks Bil! -Sid ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Content Security Policy updates
Daniel Veditz wrote on 7/23/2009 10:32 AM: > Sid has updated the Content Security Policy spec to address some of the > issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec Under "Policy Refinements with a Multiply-Specified Header" there is a misspelling of "X-Content-SecurityPolicy". And that section conflicts with what is said earlier in the document, specifically: "When multiple instances of the X-Content-SecurityPolicy HTTP header are present in an HTTP response, the intersection of the policies is enforced" vs. "If multiple X-Content-Security-Policy headers are present in the HTTP response, then the first one encountered is used and the rest are discarded." and "Only the first X-Content-Security-Policy Response header received by the user agent will be considered; any additional X-Content-Security-Policy HTTP Response headers in the same response will be ignored." - Bil ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Content Security Policy updates
Sid has updated the Content Security Policy spec to address some of the issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec You can see the issues we've been tracking and the resolutions at the Talk page: https://wiki.mozilla.org/Talk:Security/CSP/Spec There are still a few open issues. ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security